Open c4-bot-6 opened 6 months ago
cryptotechmaker (sponsor) confirmed
dmvt marked the issue as primary issue
dmvt marked the issue as selected for report
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-a
dmvt marked the issue as not selected for report
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/Magnetar.sol#L204-L208
Vulnerability details
Description
In
Magnetar
a user can batch a lot of calls to the Tapioca ecosystem. One of these is theMagnetarAction.Permit
. This performs various permit operations. One if the targets of these operations is theIPearlmit.approve
operation:Magnetar::_processPermitOperation
:Then in
MagnetarStorage::_checkSender
:There is a check that if what is sent as the first argument to the call is
!= msg.sender
thenmsg.sender
must be whitelisted.The issue is that this code makes an erroneous assumption about
IPearlmit::approve
:Here you see that the first argument is the
token
contract for which the approval is for.Pearlmit
will infer the owner frommsg.sender
which will be theMagnetar
contract.Hence, for any end user, this can never pass the
_from != msg.sender
check. For the call to work, every end user must be whitelisted.Impact
MagnetarAction.Permit
interaction withPearlmit
doesn't work as it requiresmsg.sender
to be whitelisted.Whitelisting end user addresses will enable abuses as described in
M-13
in the Pashov audit group report. Since that's not an option, theIPearlmit::approve
interaction onMagnetar
will not work.Proof of Concept
Test in
tap-token/test/MagnetarWhitelist.t.sol
:Full test setup can be found here
Tools Used
Manual audit
Recommended Mitigation Steps
Consider removing this functionality as the
owner
is inferred from the caller which will always be theMagnetar
contract.Assessed type
Invalid Validation